CVE-2020-35730

Published Dec 28, 2020

Last updated 6 months ago

Exploit knownCVSS medium 6.1
Server

Overview

Description
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Source
cve@mitre.org
NVD status
Analyzed
Products
webmail, fedora, debian_linux

Risk scores

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

CVSS 2.0

Type
Primary
Base score
4.3
Impact score
2.9
Exploitability score
8.6
Vector string
AV:N/AC:M/Au:N/C:N/I:P/A:N

Known exploits

Data from CISA

Vulnerability name
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Exploit added on
Jun 22, 2023
Exploit action due
Jul 13, 2023
Required action
Apply updates per vendor instructions.

Weaknesses

nvd@nist.gov
CWE-79
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-79

Social media

Hype score
Not currently trending

  1. I have added the fancy_bear tag to KEVIntel to all the vulnerabilities mentioned in the latest CISA advisory • CVE-2023-23397 • CVE-2020-12641 • CVE-2020-35730 • CVE-2021-44026 • CVE-2023-38831 https://t.co/ZrIVvM3JXC

    @ethicalhack3r

    22 May 2025

    248 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. #APT28 Different XSS vulnerabilities being used to target additional webmail software: Horde, MDaemon, and Zimbra. Roundcube CVE-2020-35730 CVE-2023-43770 MDaemon CVE-2024-11182 Outlook Elevation of Privilege Vul CVE-2023-23397 Zimbra CVE-2024-27443 https://t.co/VX2gyK5WkH https:

    @blackorbird

    16 May 2025

    3161 Impressions

    22 Retweets

    63 Likes

    23 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Microsoft SharePoint Server Improper Input Validation VulnerabilityCVE-2026-32201
  2. Apache ActiveMQ Improper Input Validation VulnerabilityCVE-2026-34197
  3. Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.CVE-2026-35390
  4. Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.CVE-2026-35391
  5. Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.CVE-2026-35389

References

Sources include official advisories and independent security research.